Posts in Category: HIPAA

The proliferation of cyberattacks on healthcare providers is well known, with new reports continuing to highlight the problem.

More than 216 hospitals were included in 1,798 breaches between Oct. 21, 2009 and Dec. 31, 2016, according to a report last week in The Journal of the American Medical Association. Additionally, 33 hospitals, or 15 percent, reported more than one breach. Of the 141 affected acute care hospitals, 52 were major academic medical centers.

Also, about 20,000 patients were affected in 24 of the 216 breached hospitals, and six hospitals had over 60,000 breached patient records.

Another recent report found that ransomware attacks more than quadrupled in 2016, with nearly half happening in the healthcare sector. These types of attacks are projected to double again in 2017, Beazley Breach Insights reported.

Some efforts are underway to form a coordinated response to this problem.

At a hearing last week to address cyberattacks in the healthcare industry, the House Energy and Commerce Subcommittee on Oversight and Investigations, Terry Rice, VP of IT risk management and CISO at Merck, indicated cybersecurity has become a top concern for healthcare organizations.

While hundreds of millions of health records have been compromised in data breaches in recent years, the extent of the problem may be inadequately reported. “Unfortunately, I believe these incidents underrepresent the risks we are facing as an industry,” Rice said.

To fight cyberattacks, Congress should provide organizations tax breaks for Information Sharing and Analysis Centers, educate the industry on the importance of information sharing, protect data shared through ISACs and advocate for public-private partnerships, Denise Anderson, president of the National Health Information Sharing and Analysis Center told the lawmakers.

“It’s become increasingly apparent that the industry needs a government representative who understands cybersecurity issues, threats, vulnerabilities and impacts, as well as the blended threats between physical and cybersecurity,” said Anderson.

At LUMDEX, privacy, security and of course HIPAA-compliance are the essence of our software solutions. We invite you to read our Privacy and Security Policy, our Editorial and Advertising Policy, and our Terms and Conditions of Use. Feel free to browse throughout LUMEDX.com, and please read our Mission Statement in the "About Us" section of LUMEDX.com.

The number of clinicians who use smartphones and other mobile devices on the job is rising rapidly, and so is the number of facilities that have created mobile device management strategies to cope. "Organizations with a documented mobility strategy have nearly doubled, and in-house use of pagers has increased slightly during the past two years," according to Health Data Management.

Almost 90 percent of physicians surveyed reported using smartphones, while about half of nurses and other staff members use them. In response, more than 60 percent of hospitals surveyed have a documented mobile device strategy. (The survey, by mobile messaging service vendor Spok, included responses from about 550 hospitals.)
The leading mobile devices used in hospitals are:

Smartphones (78 percent)

In-house pagers (71 percent)

Wi-Fi phones (69 percent)

Wide-area pagers (57 percent)

Tablets (52 percent)

Security and privacy, of course, are huge concerns for those setting mobile device policy, leading some organizations to forbid clinicians to use personal devices for work-related communication. About 80 percent of surveyed hospitals with such policies cited fear of data breaches as the reason behind their rules.

Click here to download the survey.What's the mobile device policy at your organization? Share your thoughts with the LUMEDX community by commenting below.

More than 113 million electronic health records were breached in 2015, a year that saw a total of 56 cybersecurity attacks in healthcare alone. That's a 13-fold increase from 2006 to 2015.
The Government Accountability Office isn't going to let those cybersecurity failures go unremarked upon. The GAO last week came down hard on the Department of Health and Human Services, pointing out a number of weaknesses in efforts by HHS to help health plans and other providers protect data.
"HHS has established an oversight program for compliance with privacy and security regulations, but its actions did not always fully verify that the regulations were implemented," wrote the GAO in a report released Sept. 26. The report also called out HHS for giving technical assistance "that was not pertinent to identified problems" in cybersecurity, and for failing to follow up on cases it investigated.
In short, the GAO found, loss or misuse of health information is not being adequately addressed by HHS. To help healthcare organizations comply with HIPAA and prevent further data breaches, the Office said, HHS should take the following corrective actions:

The Food and Drug Administration has issued draft guidelines that outline how medical device manufacturers can prevent cybersecurity threats. In addition to incorporating controls in device designs, makers must also consider ongoing improvements because risks could occur over the devices’ lifecycles.

“The sickness, hospital-centric model of healthcare, which has been in place in this country since the mid-1960s, is giving way to an ‘anywhere care’ model that centers on population health management,” according to Executive Insight, which lays out four leadership imperatives to improve population health management.

Better coordination between hospitals and post-acute care facilities could decrease the number of patient readmissions to hospitals, and could also reduce mortality rates. A new study by researchers from the University of Colorado School of Medicine identified specific risk factors that led to hospital readmissions. Almost 50 percent of those readmissions happened within two weeks of patients’ being released from hospitals.

Hospitals are making changes in certain departments and service lines with the needs of older patients in mind. From the emergency department to the OR, healthcare organizations are looking at new ways to treat the aging population.

In the future, smart phones might help prevent heart attacks and strokes. That's according to Eric Topol, MD, a cardiologist and director of the Scripps Translational Science Institute, who wrote an opinion piece for the Wall Street Journal. Topol predicts that patients will use their smart phones to provide doctors with continuous data on themselves, as opposed to waiting for office visits--a practice that would provide for earlier diagnosis and treatment.

In wealthy countries, patient mortality doesn't suffer because of work stoppages by physicians, according to a new study published in The BMJ. Mortality rates even fell during some strikes. Researchers theorized that patient mortality didn't increase during strikes because hospitals cancelled elective surgeries and continued to offer emergency care, among other reasons. They also noted that many doctors continued to work during strikes, and theorized that those who worked were better rested, enabling them to provide better care.

Patients with adult congenital heart disease (ACHD) face a substantially higher risk of ischemic and hemorrhagic strokes than the general population, according to a retrospective study. "Compared with the general population, patients with ACHD who were younger than 55 years old had a 9 to 12 times higher rate of ischemic stroke, and a 5 to 6 times higher rate of hemorrhagic stroke," the study found. "Patients with ACHD who were 55 to 64 years old had a 2 to 4 times higher rate of ischemic strokes." Heart failure, diabetes and recent MI were the biggest predictors of ischemic stroke.

Despite the prevalence of hacking, many hospitals haven't implemented strong web security programs, according to a survey conducted by HIMSS Analytics and Akamai, a content delivery network. More than 39 percent of hospitals in the survey reported that they don't have web application firewalls in place. And 35 percent of healthcare organizations are "vulnerable to a type of cyberattack that is increasing in frequency and size across all industries," the survey said.

Patients deemed to be at too high a risk for transcatheter aortic valve replacement (TAVR) can benefit from balloon aortic valvuloplasty (BAV), according to a new study. "For patients in whom BAV is the only structural treatment available to relieve their symptomatology, repeat BAV performance is one of the only means to maintain symptomatic control in an otherwise very high-risk patient population," the study's authors note.

Ninety-four percent of hospitals responding to a recent survey experienced a data breach in the past two years, according to the Ponemon Institute. Forty-five percent of these hospitals indicated that their data was breached more than five times – an increase from 2010 when the percentage of respondents indicating more than five breaches was 29 percent.

With the potential for penalties under HIPAA, the cost of notifying stakeholders and civil suite awards, the possibility these hospitals could be stuck with millions in costs due to data breaches is staggering.

Even more discouraging, those hospitals that had not joined a health information exchange (HIE) cite low or lack of confidence in data security as the number one reason they were reluctant to share information within organizations.

As the move to electronic health records (EHR) continues, what measures is your organization taking to ensure patient data security?